8000 Rule 942-APPLICATION-ATTACK-SQLI (id: 942360) contain false positive · Issue #3914 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Rule 942-APPLICATION-ATTACK-SQLI (id: 942360) contain false positive #3914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
abudawud opened this issue Oct 31, 2024 · 6 comments
Open

Rule 942-APPLICATION-ATTACK-SQLI (id: 942360) contain false positive #3914

abudawud opened this issue Oct 31, 2024 · 6 comments
Labels
➕ False Positive

Comments

@abudawud
Copy link
Contributor

Description

Hi, i'm so sorry for the issue that i have been reported.
Many thanks for CRS team for this awesome WAF Rule.

I think a request: 1. update your apps must not match rule id 942360
is there any way to patch the signature of the rule ?

How to reproduce the misbehavior (-> curl call)

  1. Open browser
  2. visit: https://sandbox.coreruleset.org/?q=1.%20update%20your%20apps

Logs

Your Environment

CRS Sandbox environtment

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@Xhoenix
Copy link
Member
Xhoenix commented Oct 31, 2024

Hi @abudawud,

Thanks for reporting this. Can you kindly provide more details, like error logs and modsec_audit logs. You should hide sensitive info ip addresses, domain names etc.

From what I see the offending regex seems to be this:

coreruleset/regex-assembly/942360.ra

Line 49 in 227ba36

^[\W\d]+\s*?update\s+\w+

@abudawud
Copy link
Contributor Author
abudawud commented Nov 1, 2024

Hi @Xhoenix
Thanks for your help

I think all log already available at crs sandbox CRS Sandbox

@Xhoenix
Copy link
Member
Xhoenix commented Nov 1, 2024

I need the logs of actual request that created the FP to be able to help you, as you can understand anybody can read the regex and create an intentional FP, just saying. Kindly provide your error and modsec_audit logs, and I'll be able to create a rule exclusion for you.

@RedXanadu
Copy link
Member

To help move things along here, this is what can be observed at PL 2:

$ curl -v -o/dev/null --resolve example.com:80:127.0.0.1 'example.com/?q=1.%20update%20your%20apps'

[Wed Nov 06 12:48:30.593362 2024]
    [security2:error]
    [pid 237:tid 123943595804352]
    [client 172.18.0.1:40210]
    [client 172.18.0.1]
    ModSecurity: Warning. Pattern match "(?i)\\\\b(?:(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\\\s\\\\x0b]+(?:char|group_concat|load_file)\\\\b[\\\\s\\\\x0b]*\\\\(?|end[\\\\s\\\\x0b]*?\\\\);)|[\\\\s\\\\x0b\\\\(]load_file[\\\\s\\\\x0b]*?\\\\(|[\\"'`][\\\\s\\\\x0b]+regexp[^0-9A-Z_a-z]|[\\"'0-9A- ..." at ARGS:q.
    [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
    [line "489"]
    [id "942360"]
    [msg "Detects concatenated basic SQL injection and SQLLFI attempts"]
    [data "Matched Data: 1. update your found within ARGS:q: 1. update your apps"]
    [severity "CRITICAL"]
    [ver "OWASP_CRS/4.9.0-dev"]
    [tag "modsecurity"]
    [tag "application-multi"]
    [tag "language-multi"]
    [tag "platform-multi"]
    [tag "attack-sqli"]
    [tag "paranoia-level/1"]
    [tag "OWASP_CRS"]
    [tag "capec/1000/152/248/66"]
    [tag "PCI/6.5.2"]
    [hostname "example.com"]
    [uri "/"]
    [unique_id "ZytlniRgA_tBdp_ot4qcvAAAAMI"]

[Wed Nov 06 12:48:30.593509 2024]
    [security2:error]
    [pid 237:tid 123943595804352]
    [client 172.18.0.1:40210]
    [client 172.18.0.1]
    ModSecurity: Warning. Pattern match "(?i)(?:alter|(?:(?:cre|trunc|upd)at|renam)e|de(?:lete|sc)|(?:inser|selec)t|load)[\\\\s\\\\x0b]+(?:char|group_concat|load_file)[\\\\s\\\\x0b]?\\\\(?|end[\\\\s\\\\x0b]*?\\\\);|[\\\\s\\\\x0b\\\\(]load_file[\\\\s\\\\x0b]*?\\\\(|[\\"'`][\\\\s\\\\x0b]+regexp[^0-9A-Z_a-z]|[^A-Z_a-z][\\\\s\\\\x0b ..." at ARGS:q.
    [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
    [line "1076"]
    [id "942362"]
    [msg "Detects concatenated basic SQL injection and SQLLFI attempts"]
    [data "Matched Data: 1. update found within ARGS:q: 1. update your apps"]
    [severity "CRITICAL"]
    [ver "OWASP_CRS/4.9.0-dev"]
    [tag "modsecurity"]
    [tag "application-multi"]
    [tag "language-multi"]
    [tag "platform-multi"]
    [tag "attack-sqli"]
    [tag "paranoia-level/2"]
    [tag "OWASP_CRS"]
    [tag "capec/1000/152/248/66"]
    [tag "PCI/6.5.2"]
    [hostname "example.com"]
    [uri "/"]
    [unique_id "ZytlniRgA_tBdp_ot4qcvAAAAMI"]

@RedXanadu
Copy link
Member

It's probably the presence of the word update. If this is indeed being flagged at PL 1 then we should fix that.

@RedXanadu
Copy link
Member

It looks the the offending pattern is this sub-pattern from 942360.ra:

^[\W\d]+\s*?update\s+\w+

It's quite specific, but maybe we could rethink the rule/patterns. The rule would also match against, for example, the following strings:

1. Create the file.
2. Delete the file.
3. Drop the traffic.
4. Load the disc into the tray.
5. Select the correct option.

The rule requires the string to start with either non-word characters or digits, followed by spaces. So, this will not match strings like "Next create the file".

A rule exclusion would also be an acceptable answer, here, I think.

@fzipi fzipi mentioned this issue Nov 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
➕ False Positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RedXanadu @abudawud @Xhoenix
0